Compliance & Strategy

New Chinese law opens firms to cyber exploitation

China has introduced a new cyber security law that will enable its government to monitor and potentially discover any breaches to the security systems of any company doing business in the country.

The law grants the China Information Technology Evaluation Center (CNITSEC) power to request source code and other intellectual property of tech suppliers. Some experts warn that this information could well be exploited by CNITSEC for purposes of its own; most probably in the furtherance of its intelligence operations.

For instance, if CNITSEC were asked to investigate any foreign firm for national security reasons, it could handover the resulting intelligence to the MSS for use in state-sponsored cyber-attacks. This would not only mean an elevated risk for a company’s own networks and services, but to their customers around the world. Such an event would also be likely to result in a PR nightmare in the firm’s home country, and be flagged as a risk for governmental use there.

The new measures put companies in a very uncomfortable position; either being forced to hand over their proprietary technology or lose out on one of the world’s largest and most lucrative markets. It’s expected that these new rules will provide onerous for foreign companies looking to navigate the market.

Several large businesses have already submitted to cyber requests from the Chinese government; with IBM and Apple among them. But it’s not yet known whether these new measures, and the sweeping powers they could potentially give to Chinese intelligence services, will prove a step too far.